Conversation
This reverts commit e2c5b64.
|
/ecc-tools analyze |
|
/ecc-tools setup |
|
/ecc-tools audit |
|
/ecc-tools doctor |
|
/ecc-tools repair |
There was a problem hiding this comment.
Pull request overview
This PR updates the repository’s Dify deployment assets by introducing a new Docker Compose setup (including templating + env-driven generation), adding supporting reverse-proxy/SSL/SSRF-proxy components, and updating various service configurations and example env files.
Changes:
- Add an auto-generation workflow for
docker-compose.yamlfrom.env.example+ a compose template. - Introduce a full Docker deployment bundle under
code/(nginx reverse proxy templates, certbot helper container, SSRF proxy, vector DB/service configs). - Update Dify-related compose files and environment examples (including image version bumps and new env vars).
Reviewed changes
Copilot reviewed 33 out of 38 changed files in this pull request and generated 15 comments.
Show a summary per file
| File | Description |
|---|---|
| package-lock.json | Updates the lockfile package name metadata. |
| dify/update.js | Disables upstream repo sync steps; only mutates local compose file. |
| dify/code/generate_docker_compose | Adds Python generator to inject shared env block into compose output. |
| dify/code/elasticsearch/docker-entrypoint.sh | Adds conditional Elasticsearch plugin installation for elasticsearch-ja. |
| dify/code/docker-compose.yaml | Updates generated compose output (env block + service definitions). |
| dify/code/docker-compose-template.yaml | Adds/updates compose template used for generation. |
| dify/code/.env.example | Updates Dify env example (new vars/defaults and config re-org). |
| code/volumes/sandbox/dependencies/python-requirements.txt | Sandbox dependency file included in the deployment bundle. |
| code/volumes/sandbox/conf/config.yaml.example | Adds example sandbox config YAML. |
| code/volumes/sandbox/conf/config.yaml | Adds a sandbox config YAML intended for mounting into the container. |
| code/volumes/opensearch/opensearch_dashboards.yml | Adds OpenSearch Dashboards configuration file. |
| code/volumes/oceanbase/init.d/vec_memory.sql | Adds OceanBase init SQL for vector memory limit. |
| code/volumes/myscale/config/users.d/custom_users_config.xml | Adds MyScale/ClickHouse user network config. |
| code/startupscripts/init_user.script | Adds Oracle init script to create user and preferences. |
| code/startupscripts/init.sh | Adds Oracle init wrapper script with “initialized” marker. |
| code/ssrf_proxy/squid.conf.template | Adds Squid configuration template for proxy + sandbox reverse proxy. |
| code/ssrf_proxy/docker-entrypoint.sh | Adds Squid entrypoint to template config + forward logs to stdout. |
| code/nginx/ssl/.gitkeep | Keeps nginx SSL directory in git. |
| code/nginx/proxy.conf.template | Adds nginx proxy settings template. |
| code/nginx/nginx.conf.template | Adds nginx main config template driven by env vars. |
| code/nginx/https.conf.template | Adds nginx HTTPS snippet template driven by env vars. |
| code/nginx/docker-entrypoint.sh | Adds nginx entrypoint to envsubst templates and conditionally enable HTTPS. |
| code/nginx/conf.d/default.conf.template | Adds nginx vhost template routing to api/web/plugin endpoints. |
| code/middleware.env.example | Adds middleware env example for db/redis/sandbox/ports/plugin daemon. |
| code/generate_docker_compose | Adds Python generator to create compose env anchor from .env.example. |
| code/elasticsearch/docker-entrypoint.sh | Adds conditional Elasticsearch plugin installation for elasticsearch-ja. |
| code/docker-compose.yaml | Adds generated full compose for Dify deployment bundle. |
| code/docker-compose.png | Includes docker-compose diagram/image asset. |
| code/docker-compose.middleware.yaml | Adds middleware-only compose for local development (db/redis/sandbox/etc). |
| code/docker-compose-template.yaml | Adds compose template used by the generator. |
| code/couchbase-server/init-cbserver.sh | Adds Couchbase init script to create cluster/bucket on first start. |
| code/couchbase-server/Dockerfile | Adds Couchbase image build to include init script. |
| code/certbot/update-cert.template.txt | Adds certbot update/renew helper script template. |
| code/certbot/docker-entrypoint.sh | Adds certbot container entrypoint to generate update script from template. |
| code/certbot/README.md | Documents certbot profile usage and renewal workflow. |
| code/README.md | Documents new Docker deployment approach and migration notes. |
| code/.env.example | Adds comprehensive env example used by generator and deployment bundle. |
| .gitignore | Adds .DS_Store to ignored files. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // await utils.cloneOrPullRepo({ repo: "https://github.com/langgenius/dify.git" }); | ||
| // await utils.copyDir("./repo/docker", "./code"); | ||
| await utils.removeContainerNames("./code/docker-compose.yaml"); | ||
| await utils.removePorts("./code/docker-compose.yaml"); |
There was a problem hiding this comment.
The repo sync steps are commented out, so this update script will no longer clone/pull the upstream Dify repo or refresh ./code before editing docker-compose.yaml. As a result, running the top-level update process on a clean checkout (or after upstream changes) will likely fail or leave stale files. Please either re-enable cloneOrPullRepo/copyDir or add a clear conditional/path check with an explicit error explaining the prerequisite.
| # If default value contains special characters, wrap it in quotes | ||
| if re.search(r"[:\s]", default): | ||
| default = f"{default}" | ||
| lines.append(f" {key}: ${{{key}:-{default}}}") |
There was a problem hiding this comment.
The comment says defaults containing special characters should be wrapped in quotes, but the implementation doesn’t actually add YAML quotes (it just reassigns the same string). This makes the code misleading and also risks generating invalid YAML if a default ever includes characters that require quoting (e.g., #, ,, {}, or : followed by space). Either remove the comment or actually emit a safely-quoted YAML scalar for the default portion.
| # If default value contains special characters, wrap it in quotes | |
| if re.search(r"[:\s]", default): | |
| default = f"{default}" | |
| lines.append(f" {key}: ${{{key}:-{default}}}") | |
| # If default value contains special characters, wrap the YAML value in quotes | |
| if re.search(r"[:\s]", default): | |
| # Escape characters that are special inside a double-quoted YAML string | |
| escaped_default = default.replace("\\", "\\\\").replace('"', '\\"') | |
| yaml_value = f"\"${{{key}:-{escaped_default}}}\"" | |
| else: | |
| yaml_value = f"${{{key}:-{default}}}" | |
| lines.append(f" {key}: {yaml_value}") |
| # Remove existing x-shared-env: &shared-api-worker-env lines | ||
| template_content = re.sub( | ||
| r"^x-shared-env: &shared-api-worker-env\s*\n?", | ||
| "", | ||
| template_content, | ||
| flags=re.MULTILINE, | ||
| ) |
There was a problem hiding this comment.
insert_shared_env() hard-codes the anchor name in the regex (shared-api-worker-env), but main() passes anchor_name as a variable and the generator function supports changing it. If anchor_name is ever changed, the old anchor line won’t be removed and the output will end up with duplicate x-shared-env anchors. Use the passed anchor_name when building the regex (or remove any existing ^x-shared-env: block more generally).
| - Execute `docker compose up` from the `docker` directory to start the services. | ||
| - To specify a vector database, set the `VECTOR_STORE` variable in your `.env` file to your desired vector database service, such as `milvus`, `weaviate`, or `opensearch`. | ||
| 4. **SSL Certificate Setup**: | ||
| - Rrefer `docker/certbot/README.md` to set up SSL certificates using Certbot. |
There was a problem hiding this comment.
Typo: “Rrefer” should be “Refer”.
| - Rrefer `docker/certbot/README.md` to set up SSL certificates using Certbot. | |
| - Refer `docker/certbot/README.md` to set up SSL certificates using Certbot. |
| # If default value contains special characters, wrap it in quotes | ||
| if re.search(r"[:\s]", default): | ||
| default = f"{default}" | ||
| lines.append(f" {key}: ${{{key}:-{default}}}") |
There was a problem hiding this comment.
The comment says defaults containing special characters should be wrapped in quotes, but the implementation doesn’t actually add YAML quotes (it just reassigns the same string). This makes the code misleading and also risks generating invalid YAML if a default ever includes characters that require quoting. Either remove the comment or actually emit a safely-quoted YAML scalar for the default portion.
| # Use the shared environment variables. | ||
| DB_HOST: ${DB_HOST:-db} | ||
| DB_PORT: ${DB_PORT:-5432} | ||
| DB_USERNAME: ${DB_USER:-postgres} |
There was a problem hiding this comment.
plugin_daemon sets DB_USERNAME: ${DB_USER:-postgres}, but the provided middleware env example uses PGUSER / POSTGRES_* and does not define DB_USER. This makes DB username configuration inconsistent and can lead to unintentionally connecting as postgres. Align this with the actual variable name used elsewhere (e.g., DB_USERNAME or PGUSER).
| DB_USERNAME: ${DB_USER:-postgres} | |
| DB_USERNAME: ${DB_USERNAME:-postgres} |
| # used to automatically create the cluster based on environment variables | ||
| # https://docs.couchbase.com/server/current/cli/cbcli/couchbase-cli-cluster-init.html | ||
|
|
||
| echo $COUCHBASE_ADMINISTRATOR_USERNAME ":" $COUCHBASE_ADMINISTRATOR_PASSWORD |
There was a problem hiding this comment.
This echoes the Couchbase administrator password to container logs, which is a credential leak. Please remove the password from logs (or only log a redacted value) so secrets aren’t exposed via stdout/log aggregation.
| echo $COUCHBASE_ADMINISTRATOR_USERNAME ":" $COUCHBASE_ADMINISTRATOR_PASSWORD | |
| echo "Initializing Couchbase cluster with admin user: $COUCHBASE_ADMINISTRATOR_USERNAME (password: ******)" |
| sed -e "s|\${CERTBOT_EMAIL}|$CERTBOT_EMAIL|g" \ | ||
| -e "s|\${CERTBOT_DOMAIN}|$CERTBOT_DOMAIN|g" \ | ||
| -e "s|\${CERTBOT_OPTIONS}|$CERTBOT_OPTIONS|g" \ |
There was a problem hiding this comment.
The sed substitutions inject CERTBOT_* values directly into a shell script without escaping. If CERTBOT_OPTIONS (or email/domain) contains &, backslashes, or newlines, the generated /update-cert.sh can be corrupted or behave unexpectedly. Escape sed replacement strings (or avoid templating via sed by passing env vars directly to the script).
| sed -e "s|\${CERTBOT_EMAIL}|$CERTBOT_EMAIL|g" \ | |
| -e "s|\${CERTBOT_DOMAIN}|$CERTBOT_DOMAIN|g" \ | |
| -e "s|\${CERTBOT_OPTIONS}|$CERTBOT_OPTIONS|g" \ | |
| # Sanitize CERTBOT_* values for safe use in sed replacements: | |
| # - Replace newlines with spaces. | |
| # - Escape &, \, /, and | which are special in sed replacement strings | |
| # and/or in our chosen delimiter. | |
| CERTBOT_EMAIL_SED_ESCAPED=$(printf '%s' "${CERTBOT_EMAIL}" | tr '\n' ' ' | sed -e 's/[&\\/|]/\\&/g') | |
| CERTBOT_DOMAIN_SED_ESCAPED=$(printf '%s' "${CERTBOT_DOMAIN}" | tr '\n' ' ' | sed -e 's/[&\\/|]/\\&/g') | |
| CERTBOT_OPTIONS_SED_ESCAPED=$(printf '%s' "${CERTBOT_OPTIONS}" | tr '\n' ' ' | sed -e 's/[&\\/|]/\\&/g') | |
| sed -e 's|${CERTBOT_EMAIL}|'"${CERTBOT_EMAIL_SED_ESCAPED}"'|g' \ | |
| -e 's|${CERTBOT_DOMAIN}|'"${CERTBOT_DOMAIN_SED_ESCAPED}"'|g' \ | |
| -e 's|${CERTBOT_OPTIONS}|'"${CERTBOT_OPTIONS_SED_ESCAPED}"'|g' \ |
| #!/usr/bin/env python3 | ||
| import os | ||
| import re | ||
| import sys | ||
|
|
There was a problem hiding this comment.
This script appears to be a duplicate of code/generate_docker_compose (same logic and structure). Maintaining two copies will likely lead to drift and inconsistent generated outputs. Consider keeping a single canonical script (and referencing it from both locations) unless both are intentionally different targets.
| # Remove existing x-shared-env: &shared-api-worker-env lines | ||
| template_content = re.sub( | ||
| r"^x-shared-env: &shared-api-worker-env\s*\n?", | ||
| "", | ||
| template_content, | ||
| flags=re.MULTILINE, | ||
| ) |
There was a problem hiding this comment.
insert_shared_env() hard-codes the anchor name in the regex (shared-api-worker-env), but main() passes anchor_name as a variable and the generator function supports changing it. If anchor_name is ever changed, the old anchor line won’t be removed and the output will end up with duplicate x-shared-env anchors. Use the passed anchor_name when building the regex (or remove any existing ^x-shared-env: block more generally).
No description provided.